There are three major categories of vulnerabilities in this update. There are a few malicious content fixes, where viewing such content can cause "unexpected application termination or arbitrary code execution." CoreGraphics, ImageIO and, interestingly, the Excel file viewer, are all in this category.

There are three fixes to Safari. One is a malicious content bug, like the ones above. One allows malicious iframes to spoof the user interface: "Safari allows an iframe element to display content outside its boundaries" which is a bank scamming site's dream feature. The update disallows this. The final one could allow a malicious program launched through Safari to initiate a call without the user's permission, and even to stop them from canceling it for a period of time. None of these three appear in last week's update to Safari on Windows and the Mac.

Three vulnerabilities are fixed in the Password Lock feature, a feature which has had at least two other bug fixes for not-dissimilar problems in the past (here and here). One new bug could allow user of a locked phone to call anyone with the emergency call feature. A second one could disable the Passcode Lock during a device restore and a third one means that SMS messages sent to a locked phone display in their entirety. All these are addressed in the update.

Two remaining bugs could lower the level of encryption in the PPTP VPN app or reveal form field data.